ethyca-fides 2.69.1b2__py2.py3-none-any.whl → 2.69.1rc0__py2.py3-none-any.whl

fides/_version.py

@@ -8,11 +8,11 @@ import json
 
 version_json = '''
 {
- "date": "2025-09-02T19:44:54+0200",
+ "date": "2025-09-03T19:56:24+0200",
  "dirty": false,
  "error": null,
- "full-revisionid": "be844cb784cc2f806cb1fe1d7d92cb8cc4c91ad4",
- "version": "2.69.1b2"
+ "full-revisionid": "792b5cd4c5cb409b37e792476fd5b9d15be7ddb6",
+ "version": "2.69.1rc0"
 }
 '''  # END VERSION_JSON
 

fides/api/alembic/migrations/versions/78dbe23d8204_adding_privacy_request_redaction_patterns.py

@@ -0,0 +1,52 @@
+"""adding privacy requeste redaction patterns
+
+Revision ID: 78dbe23d8204
+Revises: b1a2c3d4e5f6
+Create Date: 2025-08-30 05:40:17.816172
+
+"""
+
+import sqlalchemy as sa
+from alembic import op
+
+# revision identifiers, used by Alembic.
+revision = "78dbe23d8204"
+down_revision = "b1a2c3d4e5f6"
+branch_labels = None
+depends_on = None
+
+
+def upgrade():
+    op.create_table(
+        "privacy_request_redaction_pattern",
+        sa.Column("id", sa.String(length=255), nullable=False),
+        sa.Column(
+            "created_at",
+            sa.DateTime(timezone=True),
+            server_default=sa.text("now()"),
+            nullable=True,
+        ),
+        sa.Column(
+            "updated_at",
+            sa.DateTime(timezone=True),
+            server_default=sa.text("now()"),
+            nullable=True,
+        ),
+        sa.Column("pattern", sa.String(), nullable=False),
+        sa.PrimaryKeyConstraint("id"),
+        sa.UniqueConstraint("pattern"),
+    )
+    op.create_index(
+        op.f("ix_privacy_request_redaction_pattern_id"),
+        "privacy_request_redaction_pattern",
+        ["id"],
+        unique=False,
+    )
+
+
+def downgrade():
+    op.drop_index(
+        op.f("ix_privacy_request_redaction_pattern_id"),
+        table_name="privacy_request_redaction_pattern",
+    )
+    op.drop_table("privacy_request_redaction_pattern")

fides/api/api/v1/api.py

@@ -17,6 +17,7 @@ from fides.api.api.v1.endpoints import (
     policy_webhook_endpoints,
     pre_approval_webhook_endpoints,
     privacy_request_endpoints,
+    privacy_request_redaction_patterns_endpoints,
     registration_endpoints,
     saas_config_endpoints,
     storage_endpoints,
@@ -41,6 +42,7 @@ api_router.include_router(policy_endpoints.router)
 api_router.include_router(policy_webhook_endpoints.router)
 api_router.include_router(pre_approval_webhook_endpoints.router)
 api_router.include_router(privacy_request_endpoints.router)
+api_router.include_router(privacy_request_redaction_patterns_endpoints.router)
 api_router.include_router(identity_verification_endpoints.router)
 api_router.include_router(storage_endpoints.router)
 api_router.include_router(messaging_endpoints.router)

fides/api/api/v1/endpoints/oauth_endpoints.py

@@ -8,8 +8,8 @@ from loguru import logger
 from sqlalchemy.orm import Session
 from starlette.status import (
     HTTP_400_BAD_REQUEST,
+    HTTP_403_FORBIDDEN,
     HTTP_404_NOT_FOUND,
-    HTTP_422_UNPROCESSABLE_ENTITY,
 )
 
 from fides.api.api.deps import get_db
@@ -26,7 +26,7 @@ from fides.api.models.client import ClientDetail
 from fides.api.models.connectionconfig import ConnectionConfig, ConnectionTestStatus
 from fides.api.models.fides_user import FidesUser
 from fides.api.oauth.roles import ROLES_TO_SCOPES_MAPPING
-from fides.api.oauth.utils import verify_oauth_client
+from fides.api.oauth.utils import verify_client_can_assign_scopes, verify_oauth_client
 from fides.api.schemas.client import ClientCreatedResponse
 from fides.api.schemas.oauth import AccessToken, OAuth2ClientCredentialsRequestForm
 from fides.api.service.authentication.authentication_strategy import (
@@ -123,22 +123,28 @@ async def acquire_access_token(
 
 @router.post(
     CLIENT,
-    dependencies=[Security(verify_oauth_client, scopes=[CLIENT_CREATE])],
     response_model=ClientCreatedResponse,
 )
 def create_client(
     *,
+    request: Request,
     db: Session = Depends(get_db),
     scopes: List[str] = Body([]),
+    requesting_client: ClientDetail = Security(
+        verify_oauth_client, scopes=[CLIENT_CREATE]
+    ),
 ) -> ClientCreatedResponse:
     """Creates a new client and returns the credentials. Only direct scopes can be added to the client via this endpoint."""
     logger.info("Creating new client")
     if not all(scope in SCOPE_REGISTRY for scope in scopes):
         raise HTTPException(
-            status_code=HTTP_422_UNPROCESSABLE_ENTITY,
+            status_code=HTTP_403_FORBIDDEN,
             detail=f"Invalid Scope. Scopes must be one of {SCOPE_REGISTRY}.",
         )
 
+    # Security check: Verify that the requesting client has all the scopes they're trying to assign
+    verify_client_can_assign_scopes(request, requesting_client, scopes, db)
+
     client, secret = ClientDetail.create_client_and_secret(
         db,
         CONFIG.security.oauth_client_id_length_bytes,
@@ -180,13 +186,16 @@ def get_client_scopes(client_id: str, db: Session = Depends(get_db)) -> List[str
 
 @router.put(
     CLIENT_SCOPE,
-    dependencies=[Security(verify_oauth_client, scopes=[CLIENT_UPDATE])],
     response_model=None,
 )
 def set_client_scopes(
     client_id: str,
     scopes: List[str],
+    request: Request,
     db: Session = Depends(get_db),
+    requesting_client: ClientDetail = Security(
+        verify_oauth_client, scopes=[CLIENT_UPDATE]
+    ),
 ) -> None:
     """Overwrites the client's directly-assigned scopes with those provided.
     Roles cannot be edited via this endpoint.
@@ -197,10 +206,13 @@ def set_client_scopes(
 
     if not all(elem in SCOPE_REGISTRY for elem in scopes):
         raise HTTPException(
-            status_code=HTTP_422_UNPROCESSABLE_ENTITY,
+            status_code=HTTP_403_FORBIDDEN,
             detail=f"Invalid Scope. Scopes must be one of {SCOPE_REGISTRY}.",
         )
 
+    # Security check: Verify that the requesting client has all the scopes they're trying to assign
+    verify_client_can_assign_scopes(request, requesting_client, scopes, db)
+
     logger.info("Updating client scopes")
     client.update(db, data={"scopes": scopes})
 

fides/api/api/v1/endpoints/privacy_request_endpoints.py

@@ -1667,15 +1667,17 @@ def privacy_request_data_transfer(
             detail=f"Rule key {rule_key} not found",
         )
 
-    access_result: Dict[str, Optional[List[Row]]] = (
-        privacy_request.get_raw_access_results()
+    value_dict: Dict[str, Optional[List[Row]]] = cache.get_encoded_objects_by_prefix(
+        f"{privacy_request_id}__access_request"
     )
 
-    if not access_result:
+    if not value_dict:
         raise HTTPException(
             status_code=HTTP_404_NOT_FOUND,
             detail=f"No access request information found for privacy request id {privacy_request_id}",
         )
+
+    access_result = {k.split("__")[-1]: v for k, v in value_dict.items()}
     datasets = DatasetConfig.all(db=db)
     if not datasets:
         raise HTTPException(

fides/api/api/v1/endpoints/privacy_request_redaction_patterns_endpoints.py

@@ -0,0 +1,95 @@
+from fastapi import Depends, HTTPException, Security
+from fastapi.routing import APIRouter
+from loguru import logger
+from sqlalchemy.orm import Session
+from starlette.status import HTTP_200_OK
+
+from fides.api.api.deps import get_db
+from fides.api.models.privacy_request_redaction_pattern import (
+    PrivacyRequestRedactionPattern,
+)
+from fides.api.oauth.utils import verify_oauth_client
+from fides.api.schemas.privacy_request_redaction_patterns import (
+    PrivacyRequestRedactionPatternsRequest,
+    PrivacyRequestRedactionPatternsResponse,
+)
+from fides.common.api.scope_registry import (
+    PRIVACY_REQUEST_REDACTION_PATTERNS_READ,
+    PRIVACY_REQUEST_REDACTION_PATTERNS_UPDATE,
+)
+from fides.common.api.v1.urn_registry import (
+    PRIVACY_REQUEST_REDACTION_PATTERNS,
+    V1_URL_PREFIX,
+)
+
+router = APIRouter(
+    tags=["Privacy Request Redaction Patterns"],
+    prefix=V1_URL_PREFIX,
+)
+
+
+@router.get(
+    PRIVACY_REQUEST_REDACTION_PATTERNS,
+    status_code=HTTP_200_OK,
+    response_model=PrivacyRequestRedactionPatternsResponse,
+    dependencies=[
+        Security(verify_oauth_client, scopes=[PRIVACY_REQUEST_REDACTION_PATTERNS_READ])
+    ],
+)
+def get_privacy_request_redaction_patterns(
+    *, db: Session = Depends(get_db)
+) -> PrivacyRequestRedactionPatternsResponse:
+    """
+    Get the current privacy request redaction patterns configuration.
+
+    Returns the list of regex patterns used to mask dataset, collection,
+    and field names in privacy request package reports.
+    """
+    logger.info("Getting privacy request redaction patterns configuration")
+
+    patterns = PrivacyRequestRedactionPattern.get_patterns(db)
+    return PrivacyRequestRedactionPatternsResponse(patterns=patterns)
+
+
+@router.put(
+    PRIVACY_REQUEST_REDACTION_PATTERNS,
+    status_code=HTTP_200_OK,
+    response_model=PrivacyRequestRedactionPatternsResponse,
+    dependencies=[
+        Security(
+            verify_oauth_client, scopes=[PRIVACY_REQUEST_REDACTION_PATTERNS_UPDATE]
+        )
+    ],
+)
+def update_privacy_request_redaction_patterns(
+    *,
+    db: Session = Depends(get_db),
+    request: PrivacyRequestRedactionPatternsRequest,
+) -> PrivacyRequestRedactionPatternsResponse:
+    """
+    Update the privacy request redaction patterns configuration.
+
+    This is a complete replacement of the patterns list. To clear all patterns,
+    send an empty list.
+    """
+    logger.info(
+        "Updating privacy request redaction patterns configuration with {} patterns",
+        len(request.patterns),
+    )
+
+    try:
+        updated = PrivacyRequestRedactionPattern.replace_patterns(
+            db=db, patterns=request.patterns
+        )
+
+        logger.info("Successfully updated privacy request redaction patterns")
+        return PrivacyRequestRedactionPatternsResponse(patterns=updated)
+
+    except Exception as exc:
+        logger.exception(
+            "Failed to update privacy request redaction patterns: {}", str(exc)
+        )
+        raise HTTPException(
+            status_code=500,
+            detail="Failed to update privacy request redaction patterns",
+        ) from exc

fides/api/api/v1/endpoints/user_endpoints.py

@@ -117,7 +117,7 @@ def verify_user_read_scopes(
     db: Session = Depends(get_db),
 ) -> ClientDetail:
     """
-    Custom dependency that verifies the user has either user:read or user:read-own scope.
+    Custom dependency that verifies the user has either USER_READ or USER_READ_OWN scope.
     Returns the client if authorized.
     """
     token_data, client = extract_token_and_load_client(authorization, db)
@@ -159,7 +159,7 @@ async def update_user(
 ) -> FidesUser:
     """
     Update a user given a `user_id`. If the user is not updating their own data,
-    they need the user:update scope
+    they need the USER_UPDATE scope
     """
     user = FidesUser.get(db=db, object_id=user_id)
     if not user:
@@ -208,6 +208,17 @@ def update_user_password(
 
     current_user.update_password(db=db, new_password=data.new_password)
 
+    # Delete the user's associated OAuth client to invalidate all existing sessions
+    if current_user.client:
+        try:
+            current_user.client.delete(db)
+        except Exception as exc:
+            logger.exception(
+                "Unable to delete user client during password reset for user {}: {}",
+                current_user.id,
+                exc,
+            )
+
     logger.info("Updated user with id: '{}'.", current_user.id)
     return current_user
 
@@ -236,6 +247,18 @@ def force_update_password(
         )
 
     user.update_password(db=db, new_password=data.new_password)
+
+    # Delete the user's associated OAuth client to invalidate all existing sessions
+    if user.client:
+        try:
+            user.client.delete(db)
+        except Exception as exc:
+            logger.exception(
+                "Unable to delete user client during admin-forced password reset for user {}: {}",
+                user.id,
+                exc,
+            )
+
     logger.info("Updated user with id: '{}'.", user.id)
     return user
 
@@ -548,7 +571,7 @@ def get_user(
     client: ClientDetail = Security(verify_user_read_scopes),
     authorization: str = Security(oauth2_scheme),
 ) -> FidesUser:
-    """Returns a User based on an Id. Users with user:read-own scope can only access their own data. Users with user:read can access other's data."""
+    """Returns a User based on an Id. Users with USER_READ_OWN scope can only access their own data."""
     user: Optional[FidesUser] = FidesUser.get_by_key_or_id(db, data={"id": user_id})
     if user is None:
         raise HTTPException(status_code=HTTP_404_NOT_FOUND, detail="User not found")

fides/api/db/base.py

@@ -66,6 +66,9 @@ from fides.api.models.privacy_preference import (
     ServedNoticeHistory,
 )
 from fides.api.models.privacy_request import PrivacyRequest
+from fides.api.models.privacy_request_redaction_pattern import (
+    PrivacyRequestRedactionPattern,
+)
 from fides.api.models.property import (
     MessagingTemplateToProperty,
     PrivacyExperienceConfigProperty,

fides/api/models/client.py

@@ -51,6 +51,7 @@ class ClientDetail(Base):
     user_id = Column(
         String, ForeignKey(FidesUser.id_field_path), nullable=True, unique=True
     )
+    user: Optional["FidesUser"]
 
     @classmethod
     def create_client_and_secret(

fides/api/models/privacy_request_redaction_pattern.py

@@ -0,0 +1,64 @@
+from typing import List, Set
+
+from sqlalchemy import Column, String
+from sqlalchemy.ext.declarative import declared_attr
+from sqlalchemy.orm import Session
+
+from fides.api.db.base_class import Base
+
+
+class PrivacyRequestRedactionPattern(Base):
+    """
+    Stores one regex pattern per row for masking dataset, collection, and field names
+    in DSR package reports.
+    """
+
+    @declared_attr
+    def __tablename__(self) -> str:
+        return "privacy_request_redaction_pattern"
+
+    # One pattern per row; unique to prevent duplicates
+    pattern = Column(String, nullable=False, unique=True)
+
+    @classmethod
+    def get_patterns(cls, db: Session) -> List[str]:
+        """
+        Get the current list of masking patterns ordered by creation time.
+
+        Returns:
+            List of regex pattern strings, or None if no patterns are configured
+        """
+        rows = db.query(cls).order_by(cls.created_at.asc()).all()
+        if not rows:
+            return []
+        return [row.pattern for row in rows]
+
+    @classmethod
+    def replace_patterns(cls, db: Session, patterns: List[str]) -> List[str]:
+        """
+        Replace the set of stored patterns with the provided list using set reconciliation.
+
+        - Adds patterns that are not present
+        - Removes patterns that are no longer desired
+        - Returns the resulting canonical list in deterministic order
+        """
+        # Normalize: trim whitespace, remove empties and duplicates
+        desired: Set[str] = {p.strip() for p in patterns if p and p.strip()}
+
+        # Fetch existing patterns from DB as a set
+        existing: Set[str] = set(p for (p,) in db.query(cls.pattern).all())
+
+        to_add = desired - existing
+        to_remove = existing - desired
+
+        if to_remove:
+            db.query(cls).filter(cls.pattern.in_(list(to_remove))).delete(
+                synchronize_session=False
+            )
+
+        if to_add:
+            db.bulk_save_objects([cls(pattern=p) for p in to_add])
+
+        db.commit()
+
+        return sorted(desired)

fides/api/oauth/utils.py

@@ -4,16 +4,16 @@ import json
 from datetime import datetime
 from functools import update_wrapper
 from types import FunctionType
-from typing import Any, Callable, Dict, List, Optional, Tuple
+from typing import Any, Callable, Dict, List, Optional, Tuple, cast
 
-from fastapi import Depends, HTTPException, Security
+from fastapi import Depends, HTTPException, Request, Security
 from fastapi.security import SecurityScopes
 from jose import exceptions, jwe
 from jose.constants import ALGORITHMS
 from loguru import logger
 from pydantic import ValidationError
 from sqlalchemy.orm import Session
-from starlette.status import HTTP_404_NOT_FOUND
+from starlette.status import HTTP_403_FORBIDDEN, HTTP_404_NOT_FOUND
 
 from fides.api.api.deps import get_db
 from fides.api.common_exceptions import AuthenticationError, AuthorizationError
@@ -30,7 +30,7 @@ from fides.api.models.fides_user_permissions import FidesUserPermissions
 from fides.api.models.policy import PolicyPreWebhook
 from fides.api.models.pre_approval_webhook import PreApprovalWebhook
 from fides.api.models.privacy_request import RequestTask
-from fides.api.oauth.roles import get_scopes_from_roles
+from fides.api.oauth.roles import ROLES_TO_SCOPES_MAPPING, get_scopes_from_roles
 from fides.api.request_context import set_user_id
 from fides.api.schemas.external_https import (
     DownloadTokenJWE,
@@ -80,6 +80,28 @@ def is_callback_token_expired(issued_at: Optional[datetime]) -> bool:
     ).total_seconds() / 60.0 > CONFIG.execution.privacy_request_delay_timeout
 
 
+def is_token_invalidated(issued_at: datetime, client: ClientDetail) -> bool:
+    """
+    Return True if the token should be considered invalid due to security events
+    (e.g., user password reset) that occurred after the token was issued.
+
+    Any errors accessing related objects are logged and treated as non-invalidating.
+    """
+    try:
+        if (
+            client.user is not None
+            and client.user.password_reset_at is not None
+            and issued_at < client.user.password_reset_at
+        ):
+            return True
+        return False
+    except Exception as exc:
+        logger.exception(
+            "Unable to evaluate password reset timestamp for client user: {}", exc
+        )
+        return False
+
+
 def _get_webhook_jwe_or_error(
     security_scopes: SecurityScopes, authorization: str = Security(oauth2_scheme)
 ) -> WebhookJWE:
@@ -225,7 +247,7 @@ async def get_current_user(
             created_at=datetime.utcnow(),
         )
 
-    return client.user  # type: ignore[attr-defined]
+    return cast(FidesUser, client.user)
 
 
 def verify_callback_oauth_policy_pre_webhook(
@@ -370,8 +392,10 @@ def extract_token_and_load_client(
         logger.debug("Auth token expired.")
         raise AuthorizationError(detail="Not Authorized for this action")
 
+    issued_at_dt = datetime.fromisoformat(issued_at)
+
     if is_token_expired(
-        datetime.fromisoformat(issued_at),
+        issued_at_dt,
         token_duration_override or CONFIG.security.oauth_access_token_expire_minutes,
     ):
         raise AuthorizationError(detail="Not Authorized for this action")
@@ -394,6 +418,12 @@ def extract_token_and_load_client(
         logger.debug("Auth token belongs to an invalid client_id.")
         raise AuthorizationError(detail="Not Authorized for this action")
 
+    # Invalidate tokens issued prior to the user's most recent password reset.
+    # This ensures any existing sessions are expired immediately after a password change.
+    if is_token_invalidated(issued_at_dt, client):
+        logger.debug("Auth token issued before latest password reset.")
+        raise AuthorizationError(detail="Not Authorized for this action")
+
     # Populate request-scoped context with the authenticated user identifier.
     # Prefer the linked user_id; fall back to the client id when this is the
     # special root client (which has no associated FidesUser row).
@@ -476,6 +506,87 @@ def has_scope_subset(user_scopes: List[str], endpoint_scopes: SecurityScopes) ->
     return set(endpoint_scopes.scopes).issubset(user_scopes)
 
 
+def get_client_effective_scopes(client: "ClientDetail") -> List[str]:
+    """
+    Get all scopes available to a client, including both direct scopes and role-derived scopes.
+
+    Args:
+        client: The ClientDetail instance
+
+    Returns:
+        List of scope strings that the client has access to
+    """
+    effective_scopes = set()
+
+    # Add direct scopes
+    if client.scopes:
+        effective_scopes.update(client.scopes)
+
+    # Add role-derived scopes
+    if client.roles:
+        for role in client.roles:
+            role_scopes = ROLES_TO_SCOPES_MAPPING.get(role, [])
+            effective_scopes.update(role_scopes)
+
+    # Add user permission scopes if client is associated with a user
+    # Note: client.user is available via SQLAlchemy backref from FidesUser.client relationship
+    user = getattr(client, "user", None)  # Use getattr to avoid mypy attr-defined error
+    if user and hasattr(user, "permissions") and user.permissions:
+        effective_scopes.update(user.permissions.total_scopes)
+
+    return sorted(list(effective_scopes))
+
+
+def verify_client_can_assign_scopes(
+    request: "Request",
+    requesting_client: "ClientDetail",
+    scopes: List[str],
+    db: "Session",
+) -> None:
+    """
+    Verify that a requesting client has permission to assign the given scopes.
+
+    Raises HTTPException if the client lacks permission.
+    Root client is exempt from this check.
+
+    Args:
+        request: FastAPI request object containing Authorization header
+        requesting_client: The client making the request
+        scopes: List of scopes to be assigned
+        db: Database session
+
+    Raises:
+        HTTPException: If the client lacks permission to assign the scopes
+    """
+    # Root client can assign any scope
+    if requesting_client.id == CONFIG.security.oauth_root_client_id:
+        return
+
+    # Get the actual token scopes (not the client's database scopes)
+    authorization = request.headers.get("Authorization", "").replace("Bearer ", "")
+    token_data, _ = extract_token_and_load_client(authorization, db)
+
+    # Get token's effective scopes
+    token_scopes = token_data.get("scopes", [])
+
+    # Check if user has the scopes via roles as well
+    has_scope_via_role = has_permissions(
+        token_data=token_data,
+        client=requesting_client,
+        endpoint_scopes=SecurityScopes(scopes),
+    )
+
+    # If they don't have all scopes via direct assignment or roles, check individual scopes
+    if not has_scope_via_role:
+        unauthorized_scopes = set(scopes) - set(token_scopes)
+
+        if unauthorized_scopes:
+            raise HTTPException(
+                status_code=HTTP_403_FORBIDDEN,
+                detail=f"Cannot assign scopes that you do not have. Missing scopes: {sorted(unauthorized_scopes)}",
+            )
+
+
 def create_temporary_user_for_login_flow(config: FidesConfig) -> FidesUser:
     """
     Create a temporary FidesUser in-memory with an attached in-memory ClientDetail

fides/api/schemas/privacy_request_redaction_patterns.py

@@ -0,0 +1,55 @@
+import re
+from typing import List
+
+from pydantic import BaseModel, Field, field_validator
+
+
+class PrivacyRequestRedactionPatternsRequest(BaseModel):
+    """Request schema for updating privacy request redaction patterns."""
+
+    patterns: List[str] = Field(
+        description="List of regex patterns used to redact dataset, collection, and field names in privacy request package reports",
+        max_length=100,  # Limit number of patterns
+    )
+
+    @field_validator("patterns")
+    @classmethod
+    def validate_patterns(cls, patterns: List[str]) -> List[str]:
+        """Validate regex patterns with ReDoS protection via Pydantic's default rust-regex engine."""
+        if not patterns:
+            return patterns
+
+        validated_patterns = []
+        for i, pattern in enumerate(patterns):
+            if not isinstance(pattern, str):
+                raise ValueError(f"Pattern at index {i} must be a string")
+
+            pattern = pattern.strip()
+            if not pattern:
+                raise ValueError(f"Pattern at index {i} cannot be empty")
+
+            # Reasonable length limit for regex patterns
+            if len(pattern) > 500:
+                raise ValueError(
+                    f"Pattern at index {i} is too long (max 500 characters)"
+                )
+
+            # Pydantic's rust-regex engine provides ReDoS protection
+            try:
+                re.compile(pattern, re.IGNORECASE)
+            except re.error as e:
+                raise ValueError(f"Invalid regex pattern at index {i}: {e}")
+
+            validated_patterns.append(pattern)
+
+        return validated_patterns
+
+
+class PrivacyRequestRedactionPatternsResponse(BaseModel):
+    """Response schema for privacy request redaction patterns."""
+
+    patterns: List[str] = Field(
+        description="List of regex patterns used to redact dataset, collection, and field names in privacy request package reports"
+    )
+
+    model_config = {"from_attributes": True}